Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Model Inversion Attacks Against Collaborative Inference.pdf

Model Inversion Attack against Collaborative Inference

This code implements model inversion attacks against collaborative inference in the following paper:

Zecheng He, Tianwei Zhang and Ruby Lee, "Model Inversion Attacks Against Collaborative Inference", 35th Annual Computer Security Applications Conference (ACSAC'19), San Juan, Dec 2019

We provide three attacks, i.e. rMSE (Section 4), blackbox inverse network (Section 5) and query-free attack (Section 6) on CIFAR10 dataset. Attacks against MNIST are similar.


python 2.7


pip install numpy

pytorch 1.0.0

pip install torch

torchvision version 0.2.1:

pip install torchvision==0.2.1

2.Run the code:

(1) Train the target CIFAR model to inverse

python --dataset CIFAR10 --epochs 50

(2) Whitebox Regularized Maximum Likelihood Estimation (rMLE, Section 4)

python --iters 5000 --learning_rate 1e-2 --layer ReLU22 --lambda_TV 1e1 --lambda_l2 0.0

(3) Blackbox Inverse Network (Section 5)

Train inverse network

python --training --layer ReLU22 --iter 50 --decodername CIFAR10CNNDecoderReLU22

Inference inverse network

python --testing --decodername CIFAR10CNNDecoderReLU22 --layer ReLU22

(4) Query-free Attack (Section 6)

Train a shadow model

python --training --layer ReLU22 --iter 50

Inverse the shadow model

python --testing --layer ReLU22 --iter 500 --learning_rate 1e-1 --lambda_TV 2e0 --lambda_l2 0.0


(1) Please make sure to use torchvision v0.2.1:

import torchvision
print torchvision.__version__

(2) If no gpu supported on your machine, add --nogpu option in the command line.

(3) Please feel free to add --novalidation in your command line if it takes you too long to run in cpu-only mode and the model training/inverse are conducted on the same machine. It will disable evalTest() and evalTestSplitModel(), which are only used for validating the pre-trained models.


You are encouraged to cite the following paper.

  title={Model Inversion Attacks Against Collaborative Inference},
  author={He, Zecheng and Zhang, Tianwei and Lee, Ruby B},
  booktitle={Proceedings of the 35th Annual Computer Security Applications Conference},
You can’t perform that action at this time.